Currently, computers are rarely operated in total isolation. Rather, most computers, particularly in a corporate setting, are networked. There are two basic types of networks. A local area network or “intranetwork” consists of individual computers and shared resources operating-within a single location, such as on one floor of a building. Similarly, a wide area network or “internetwork” consists of individual computers and resources, as well as intranetworks, interconnected over a distributed area, often geographically dispersed. The Internet, for example, is a public internetwork interconnecting clients worldwide.
Internetworks provide the infrastructure for emerging technologies that offer services to remote clients, such as electronic commerce. Remote clients send requests for goods, services, or information to each server. Many networks interface to the internetwork via a single link. Unfortunately, a single link has a limited throughput capacity and can quickly become saturated by service requests. In addition, the loss of the single link completely removes the network's services from the internetwork.
Therefore, networks containing servers that receive a high volume of service requests are often situated within a secure intranetwork having multiple connections (multi-paths) to the internetwork. A server is identified by a single network address and individual service requests are routed into and out of the intranetwork through a plurality of boundary controller or firewall devices. Service requests sent to the server can take different paths than responses generated by the server.
The multiple links provide several benefits. First, packets can be routed for improved throughput and load balancing. Although increased throughput could also be achieved by upgrading to a faster connection, high volume servers are generally connected to two or more Internet Server Providers (ISPs) for redundancy in the event of a hardware failure by an ISP. Structurally, most internetworks and intranetworks are based on a layered network model employing a stack of standardized protocol layers. The Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, “TCP/IP Illustrated,” Vol. 1, Ch. 1 et seq., Addison-Wesley (1994), the disclosure of which is incorporated herein by reference, is a widely adopted network model. Computers and network resources using the TCP/IP suite implement hierarchical protocol stacks that include link, network, transport and, for clients and servers, application protocol layers.
The application protocol layers enable the servers to provide client services, such as communications, file transfer, electronic mail, content retrieval, and resource sharing. Application protocol layers are either connection-oriented or connectionless. A connection is a negotiated link interconnecting a server and client used to transact a communication session during which packets are exchanged between the server and client application protocol layers.
Connections are created by the transport protocol layers. For instance, the Transmission Control Protocol (TCP) provides a connection-oriented, reliable, byte stream service that can be used by application layer protocols to transact sessions. Communication sessions require the stepwise initiation and termination of a dedicated connection. TCP sessions must be initiated through a negotiated three-way handshaking sequence and preferably terminated with a four-segment sequence that gracefully closes the connection.
Managing the connections for communication sessions requires additional processing in a multi-pathed network environment. For instance, in one type of multi-pathed network topology, firewalls and boundary controllers perform active network security by validating TCP session requests on behalf of a protected server. While effective at shielding the server from attack, such security measures require two separate communication sessions: one TCP session between the firewall or boundary controller and the client and a second TCP session between the firewall or boundary controller and the server. The TCP sessions are logically “spliced” together by translating sequence numbers for each session. However, each firewall or boundary controller operates independently of any other boundary controller protecting the server. Communicating sequence numbers between the components is difficult. Consequently, the TCP sessions are ordinarily restricted to the original firewall or boundary controller, thereby nullifying the benefits of multi-pathed connections.
Similarly, packets are dynamically switched along multiple paths in a multi-pathed network environment. Ideally, peer packets can follow any route through the internetwork so long as the packets eventually reach the same destination. However, boundary controllers are not able to effectively manage a connection if all of the packets do not flow though that same boundary controller.
In another type of multi-pathed network topology, link layer boundary controllers validate incoming packets. From the perspective of a server operating within the protected enclave, these devices are transparent as packets flow directly to and from the clients without apparent interception. However, for certain tasks, such as packet validation, the boundary controllers may need to function on behalf of the server. By operating at the link layer, the boundary controllers are not able to utilize the connection information contained in the headers for the network and transport layers and only one boundary controller can perform validation functions, again voiding any benefit gained through a multi-pathed topology.
Therefore, there is a need for an approach to negotiating multi-pathed connections for communications sessions in a layered networking environment. Preferably, such an approach would enable intermediary devices, such as firewalls and boundary controllers, to seamlessly communicate connection information between each other, thereby allowing dynamic routing of packets for a given connection. Moreover, such an approach would allow the sharing of transport layer connection information between link layer transparent intermediary devices.